Buffer overflow?
Harold Gutch
logix at foobar.franken.de
Fri Aug 1 17:33:16 PDT 2003
On Fri, Aug 01, 2003 at 04:49:04PM -0400, Richard Coleman wrote:
> Matthew Dillon wrote:
> > Well, I am neutral on the topic. I generally consider these
> > sorts of security fixes as masking the problem rather then
> > fixing it. What I would like to see (and another reason for
> > doing the VFS layer and syscall emulation) is a way to limit
> > a program's ability to manipulate its environment to just
> > the files that we say it can access/modify. Also, the ability
> > to wrap a program with another program which takes control of
> > its syscalls (another reason for doing syscall messaging).
> >
> > As an extreme example take a program like 'ls'. There is
> > no reason under the sun for the system to allow a program
> > like 'ls' to exec(), yet nearly all UNIX systems do allow
> > this. You get the drift of where I'm going...
> >
> > The key is to make this all doable in userland. Restricting
> > these sorts of features to the kernel greatly reduces the
> > number of people who can potentially develop code up
> > related projects.
>
> Aren't these exactly the reason that people added Mandatory Access
> Controls (MAC)? It sounds like you want a user space version of MAC's.
>
> Also "systrace" does something similar. I know that OpenBSD has this.
There is an older systrace-version for FreeBSD. You could try
porting that to Dranonfly. It's available from
http://www.citi.umich.edu/u/provos/systrace/freebsd.html
bye,
Harold
More information about the Kernel
mailing list